Nudging in the security context refers to the approach of guiding users towards secure behavior through the targeted design of software interfaces without forcing them. Typical means include secure default settings, clear password strength displays and automatic locks. The principle is called Security by Behavioral Design and is already applied during the design process.
Key Takeaways
- Most successful cyberattacks do not start with a technical vulnerability, but with a human error, such as clicking on a manipulated link.
- Nudging in the security context means making safe behavior the easiest option without forcing users: Those who do not actively opt out automatically end up with the secure setting.
- Configuring two-factor authentication via opt-out instead of opt-in significantly increases the usage rate because most users never change default settings.
- Security by Behavioral Design means integrating behavioral nudges as early as the design phase, not just when the application is finished, in order to optimize usability and security at the same time.
Humans are the most common gateway for successful attackers
Most successful cyber attacks do not start with a technical vulnerability, but with a human error. Erlijn van Genuchten estimates the proportion of attacks that enter via humans at around 85 percent. In other words, the majority.
A typical sequence of events: an email invites the victim to click on a link, enter a user name and password or download malware. Entry always requires an action on the part of the attacked person. This is precisely why it is not enough to simply close technical loopholes.
Experts often underestimate the human side of security. Pentesters like Erlijn van Genuchten focus their work on technical vulnerabilities, usually in websites. But if you want to prevent human errors, you also need to make the human factor as strong as possible.
Why even experienced users fall into the trap
Lack of knowledge is only one side of the scale. Anyone who has nothing to do with cybersecurity professionally is naturally unfamiliar with it and has little reason for further training. The less knowledge there is, the easier it is for attackers.
On the other hand, there are very capable attackers who write precise emails. Even those who are in the know fall for it. Then there is everyday life. On a stressful Friday afternoon, when you’re rushing home, even a smart person can’t pay attention and click on something.
AI has raised the level of attackers. Phishing emails used to give themselves away with bad German. Today, some are so well worded that even trained eyes have to check the links.
One particularly nasty variant uses characters that can be confused. A small “l” looks like a capital “I” in some fonts. This makes it possible to create a fake address that can hardly be distinguished from the real one with the naked eye.
What nudging means in a security context
A nudge gives the user a slight push in the safe direction without forcing them. The principle originates from areas such as marketing and sustainability and can be applied to security decisions.
The core lies in the absence of coercion. Software makes the safe decision easy so that users are more likely to make it. Those who have good reasons can continue to choose the unsafe option. But those who are unfamiliar with it or don’t bother with it are more likely to end up with the secure option. That’s already a big win.
The approach addresses precisely the gap that further training alone does not close: People who have no interest or time to deal with security are nevertheless led into a better default setting.
Concrete nudges that everyone knows
Nudges can already be found in everyday software. Three mechanisms demonstrate the principle particularly clearly.
**Automatic lock ** The smartphone locks itself after a short period of inactivity. Security happens here without anyone having to actively press a button. If you don’t want this, switch the lock off. It is on by default.
**Opt-in versus opt-out ** A check mark that you have to set is an opt-in. A check mark that must be removed is an opt-out. Applied to two-factor authentication, this means that if it is activated by default and has to be actively deactivated, significantly more people use it than if they had to proactively click through the settings.
**Password strength indicator ** When creating a password, a rating appears as “weak”, “medium” or “strong”, often highlighted in red, orange or green. This encourages a stronger password without forcing it. As long as the minimum guidelines are met, the weaker password remains possible. But the display shifts the choice.
Reduction also helps with security settings. Instead of ten options, three are often enough, clearly explained in simple language. Choosing between just three comprehensible options is a better decision than someone who no longer understands the difference between ten options.
Software can warn of social engineering
If an email can no longer be recognized as a scam, software can secure the next step. Browsers, for example, warn you if someone is on the way to a suspicious page.
For example, if you enter “googie.com” with a lowercase “l”-like “i”, the browser displays a warning and asks if you meant “google.com”. The browser knows that most people want to go to Google, not the cloaked version. You can still go to the wrong site, but you will be warned before you enter any data.
With a clumsily constructed fake site, the difference is immediately noticeable. It becomes dangerous when someone builds a faithful copy of the real site. Then the warning is the last visible line of defense.
Security belongs in the construction plan right from the start
Nudges belong in the early phase of development, not as a retrofit. Erlijn van Genuchten applies the well-known principle of Security by Design to behavior and calls it Security by Behavioral Design.
When drawing the blueprint of the software, the behavioral aspects should be included at the point where the technical security aspects are considered.
- Erlijn van Genuchten
In practical terms, this means that if you carry out usability testing on the user interface, you can test the nudges at the same time. This allows you to check early on how users react and whether the nudge works. This is more effective and user-friendly than pressing the mechanisms into a finished application at a later stage.
The effect of nudges can be measured
Whether a nudge works can be checked with logging and simple comparisons. With opt-in or opt-out, all you need to do is take a look at the new registrations: How many activate two-factor authentication as long as they have to actively log in, and how many keep it if they had to actively opt out? The difference shows directly whether the default setting is making a difference.
Not every mechanism is equally measurable. Passwords are saved as a hash, which is why the strength entered cannot be clearly read from it. For many other cases, database filters and simple statistics are sufficient.
Usability and security do not have to be mutually exclusive
The ongoing conflict between convenience and security remains, but many nudges defuse it. They often even make things easier for the user because a secure default setting is already in place or the software takes over the assessment instead of imposing it on the user.
The automatic lock is a clear example of this: more security without additional effort. With two-factor authentication, on the other hand, the additional code can be inconvenient. Both exist side by side.
Those who test and refine nudges early on can make usability and security strong at the same time, instead of playing one off against the other. This is the real goal of Security by Behavioral Design.
